Someone thinks it funny to do it on April Fools..
Attacks Port 587, uses an EHLO of server.com, looks to be router
compromises, but instead of the typical distributed low volume this one
is hitting hard.. But see some other types of Linux Servers as well..
Most rate limiter type tools are probably going to trigger on this one a
lot..
Sample Clipped Log Entry:
Apr 1 18:04:09 fe1 msd[14084]: Linux Magic SMTPD started: connection
from 176.53.90.210 REQUIREAUTH (192.168.0.204:587) Linux 3.11 and ne
Apr 1 18:04:09 fe1 msd[14084]: GeoIP country code[176.53.90.210] = "TR"
Apr 1 18:04:09 fe1 msd[14084]: EHLO command received, args: server.com
Apr 1 18:04:10 fe1 msd[14084]: auth failed:
Apr 1 18:04:15 fe1 msd[14084]: smtp_read_command() internal error [-1]:
Connection reset by peer
Apr 1 18:04:15 fe1 msd[14084]: Exiting (bytes in: 77 out: 212)
Nmap scan report for server-176.53.90.210.as42926.net (176.53.90.210)
Host is up (0.20s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
5432/tcp open postgresql
9000/tcp open cslistener
9001/tcp open tor-orport
9002/tcp open dynamid
9003/tcp open unknown
9099/tcp open unknown
Nmap scan report for host72-130-107-176.static.arubacloud.pl
(176.107.130.72)
Host is up (0.17s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
179/tcp filtered bgp
5432/tcp open postgresql
8080/tcp open http-proxy
What's in common? postgresql..
Page loads to 'My First OSM'
Haven't had a chance to see if this overlays other previous bots..
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"MagicSpam" is a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
[email protected]
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
